[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: New XAUTH draft



Hi Scott,

<snip> 
> No, actually I'm referring to stability, analyzability, and other
> security characteristics. Adding more complexity and states 
> to IKE makes
> it harder to analyze, and more susceptible to a variety of attacks.
> There are a number of people better qualified to discuss this 
> than I am
> who might want to jump in here...
> 
<snip>

I see, sorry for the confusion.  Please disregard my comments about reducing
the entropy.

I don't see how XAUTH complicates IKE to a level where IKE might become
unstable.  IKE simply goes from Phase1 - Phase2, to Phase1 - XAUTH - Phase2.

The only other solution to the problem I've heard is Phase1 - Phase2(but
only special phase2's destined to Authentication servers) - Phase2.  This
seems even more complicated to me.  Not to mention it seems easier to make a
configuration / implementation mistake here.

Once again, sorry for the confusion.
Stephane.